private static XmlDocument CreateLicenseDom(CmiManifestSigner2 signer, XmlElement principal, byte[] hash)
{
XmlDocument licenseDom = new XmlDocument();
licenseDom.PreserveWhitespace = true;
// CA3057: DoNotUseLoadXml. Suppressed since the xml being loaded is a constant defined in this file.
licenseDom.LoadXml(licenseTemplate);
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
nsm.AddNamespace("as", AuthenticodeNamespaceUri);
XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement;
assemblyIdentityNode.RemoveAllAttributes();
foreach (XmlAttribute attribute in principal.Attributes)
{
assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value);
}
XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement;
manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length));
manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description);
manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl);
XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement;
authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name;
return(licenseDom);
}
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
// Signer cannot be null.
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
// Remove existing SN signature.
RemoveExistingSignature(_manifestDom);
// Replace public key token in assemblyIdentity if requested.
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0)
{
ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256);
}
// No cert means don't Authenticode sign and timestamp.
XmlDocument licenseDom = null;
if (signer.Certificate != null)
{
// Yes. We will Authenticode sign, so first insert <publisherIdentity />
// element, if necessary.
InsertPublisherIdentity(_manifestDom, signer.Certificate);
// Now create the license DOM, and then sign it.
licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256));
AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256);
}
StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256);
}
private static void SignFileInternal(X509Certificate2 cert, Uri timestampUrl, string path, bool targetFrameworkSupportsSha256, System.Resources.ResourceManager resources)
{
if (cert == null)
throw new ArgumentNullException("cert");
if (String.IsNullOrEmpty(path))
throw new ArgumentNullException("path");
if (!File.Exists(path))
throw new FileNotFoundException(String.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), path), path);
bool useSha256 = UseSha256Algorithm(cert) && targetFrameworkSupportsSha256;
if (PathUtil.IsPEFile(path))
{
if (IsCertInStore(cert))
SignPEFile(cert, timestampUrl, path, resources, useSha256);
else
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
else
{
if (cert.PrivateKey == null)
throw new InvalidOperationException(resources.GetString("SignFile.CertMissingPrivateKey"));
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
try
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
XmlReaderSettings xrSettings = new XmlReaderSettings();
xrSettings.DtdProcessing = DtdProcessing.Ignore;
using (XmlReader xr = XmlReader.Create(path, xrSettings))
{
doc.Load(xr);
}
SignedCmiManifest2 manifest = new SignedCmiManifest2(doc, useSha256);
RSACryptoServiceProvider csp;
if (useSha256)
{
csp = SignedCmiManifest2.GetFixedRSACryptoServiceProvider(cert.PrivateKey as RSACryptoServiceProvider, useSha256);
}
else
{
csp = cert.PrivateKey as RSACryptoServiceProvider;
}
CmiManifestSigner2 signer = new CmiManifestSigner2(csp, cert, useSha256);
if (timestampUrl == null)
manifest.Sign(signer);
else
manifest.Sign(signer, timestampUrl.ToString());
doc.Save(path);
}
catch (Exception ex)
{
int exceptionHR = System.Runtime.InteropServices.Marshal.GetHRForException(ex);
if (exceptionHR == -2147012889 || exceptionHR == -2147012867)
{
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), ex);
}
throw new ApplicationException(ex.Message, ex);
}
}
}
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner2 signer, bool useSha256)
{
RSA snKey = signer.StrongNameKey as RSA;
// Make sure it is RSA, as this is the only one Fusion will support.
if (snKey == null)
{
throw new NotSupportedException();
}
// Setup namespace manager.
XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
// Get to root element.
XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement;
if (signatureParent == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
if (signer.StrongNameKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(signatureParent);
signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.StrongNameKey as RSACryptoServiceProvider, useSha256);
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
if (signer.UseSha256)
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey));
if (licenseDom != null)
{
signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement));
}
signedXml.KeyInfo.Id = "StrongNameKeyInfo";
// Add the enveloped reference.
Reference enveloped = new Reference();
enveloped.Uri = "";
if (signer.UseSha256)
enveloped.DigestMethod = Sha256DigestMethod;
// Add an enveloped then Exc-C14N transform.
enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform());
enveloped.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(enveloped);
#if (false) // DSIE: New format does not sign KeyInfo.
// Add the key info reference.
Reference strongNameKeyInfo = new Reference();
strongNameKeyInfo.Uri = "#StrongNameKeyInfo";
strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(strongNameKeyInfo);
#endif
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature");
// Insert the signature now.
signatureParent.AppendChild(xmlDigitalSignature);
}
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool useSha256)
{
// Make sure it is RSA, as this is the only one Fusion will support.
if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
if (signer.Certificate.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom);
signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.Certificate.PrivateKey as RSACryptoServiceProvider, useSha256);
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
if (signer.UseSha256)
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(GetFixedRSACryptoServiceProvider(signer.Certificate.PrivateKey as RSACryptoServiceProvider, useSha256) as RSA));
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption));
// Add the enveloped reference.
Reference reference = new Reference();
reference.Uri = "";
if (signer.UseSha256)
reference.DigestMethod = Sha256DigestMethod;
// Add an enveloped and an Exc-C14N transform.
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
#if (false) // BUGBUG: LTA transform complaining about issuer node not found.
reference.AddTransform(new XmlLicenseTransform());
#endif
reference.AddTransform(new XmlDsigExcC14NTransform());
// Add the reference.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature");
// Insert the signature node under the issuer element.
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement;
issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true));
// Time stamp it if requested.
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
// Wrap it inside a RelData element.
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" +
MSRelNamespaceUri + "\">" +
licenseDom.OuterXml + "</msrel:RelData>";
}
private static XmlDocument CreateLicenseDom(CmiManifestSigner2 signer, XmlElement principal, byte[] hash)
{
XmlDocument licenseDom = new XmlDocument();
licenseDom.PreserveWhitespace = true;
licenseDom.LoadXml(licenseTemplate);
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
nsm.AddNamespace("as", AuthenticodeNamespaceUri);
XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement;
assemblyIdentityNode.RemoveAllAttributes();
foreach (XmlAttribute attribute in principal.Attributes)
{
assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value);
}
XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement;
manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length));
manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description);
manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl);
XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement;
authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name;
return licenseDom;
}
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
// Signer cannot be null.
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
// Remove existing SN signature.
RemoveExistingSignature(_manifestDom);
// Replace public key token in assemblyIdentity if requested.
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0)
{
ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256);
}
// No cert means don't Authenticode sign and timestamp.
XmlDocument licenseDom = null;
if (signer.Certificate != null)
{
// Yes. We will Authenticode sign, so first insert <publisherIdentity />
// element, if necessary.
InsertPublisherIdentity(_manifestDom, signer.Certificate);
// Now create the license DOM, and then sign it.
licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256));
AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256);
}
StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256);
}
internal void Sign(CmiManifestSigner2 signer)
{
Sign(signer, null);
}
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner2 signer, bool useSha256)
{
RSA snKey = signer.StrongNameKey as RSA;
// Make sure it is RSA, as this is the only one Fusion will support.
if (snKey == null)
{
throw new NotSupportedException();
}
// Setup namespace manager.
XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
// Get to root element.
XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement;
if (signatureParent == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
if (!(signer.StrongNameKey is RSA))
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(signatureParent);
if (signer.StrongNameKey is RSACryptoServiceProvider)
{
signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.StrongNameKey as RSACryptoServiceProvider, useSha256);
}
else
{
signedXml.SigningKey = signer.StrongNameKey;
}
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
if (signer.UseSha256)
{
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
}
else
{
signedXml.SignedInfo.SignatureMethod = Sha1SignatureMethodUri;
}
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey));
if (licenseDom != null)
{
signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement));
}
signedXml.KeyInfo.Id = "StrongNameKeyInfo";
// Add the enveloped reference.
Reference enveloped = new Reference();
enveloped.Uri = "";
if (signer.UseSha256)
{
enveloped.DigestMethod = Sha256DigestMethod;
}
else
{
enveloped.DigestMethod = Sha1DigestMethod;
}
// Add an enveloped then Exc-C14N transform.
enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform());
enveloped.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(enveloped);
#if (false) // DSIE: New format does not sign KeyInfo.
// Add the key info reference.
Reference strongNameKeyInfo = new Reference();
strongNameKeyInfo.Uri = "#StrongNameKeyInfo";
strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(strongNameKeyInfo);
#endif
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature");
// Insert the signature now.
signatureParent.AppendChild(xmlDigitalSignature);
}
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool useSha256)
{
// Make sure it is RSA, as this is the only one Fusion will support.
RSA rsaPrivateKey = CngLightup.GetRSAPrivateKey(signer.Certificate);
if (rsaPrivateKey == null)
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom);
// only needs to change the provider type when RSACryptoServiceProvider is used
var rsaCsp = rsaPrivateKey is RSACryptoServiceProvider?
GetFixedRSACryptoServiceProvider(rsaPrivateKey as RSACryptoServiceProvider, useSha256) : rsaPrivateKey;
signedXml.SigningKey = rsaCsp;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
if (signer.UseSha256)
{
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
}
else
{
signedXml.SignedInfo.SignatureMethod = Sha1SignatureMethodUri;
}
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(rsaCsp));
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption));
// Add the enveloped reference.
Reference reference = new Reference();
reference.Uri = "";
if (signer.UseSha256)
{
reference.DigestMethod = Sha256DigestMethod;
}
else
{
reference.DigestMethod = Sha1DigestMethod;
}
// Add an enveloped and an Exc-C14N transform.
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
#if (false) // BUGBUG: LTA transform complaining about issuer node not found.
reference.AddTransform(new XmlLicenseTransform());
#endif
reference.AddTransform(new XmlDsigExcC14NTransform());
// Add the reference.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature");
// Insert the signature node under the issuer element.
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement;
issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true));
// Time stamp it if requested.
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
// Wrap it inside a RelData element.
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" +
MSRelNamespaceUri + "\">" +
licenseDom.OuterXml + "</msrel:RelData>";
}
internal void Sign(CmiManifestSigner2 signer)
{
Sign(signer, null);
}
